13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

[mtcn77]

Chimera allows you to run arbitrary code in the chipset. If the BIOS chip was connected directly to the chipset, then this would enable silent flashing in any system state as long as the chipset has power.

Since the BIOS chip is connected to the CPU on Zen, this is not possible, at least not directly. It's still possible to use DMA to write code inside the CPU memory, which then gets executed, which then flashes the ROM.

Edit: I'll research whether the chipset is connected to the SPI bus on which the ROM lives.

What I took from the first edition was, you needed that "Masterkey" in order for that to work(system memory addressing to PSP memory still wasn't possible), otherwise the system integrity check would bust it out since it is still blocked from any other vector than Masterkey.
This version is more cryptic, good luck to the readers.

 

[TheLostSwede]

According to what Anandtech has mentioned about these "flaws", not only would you need admin access, but also a signed driver.
As far as I'm aware, it's not very easy to get a signed driver for Windows these days, as Microsoft does a fair amount of testing, especially on drivers from new companies.
I'm also not aware of any other way to get an authentic signed driver that will install without kicking up a major fuss.

Let's wait and see what the fallout (sorry) of this will be, but it's obviously not good news if any of this proves to be true. On the other hand, it seems like a lot of it can be patched in software without causing any performance related issues, since none of these claimed vulnerabilities would affect the system performance as it looks.

Also, why would the CFO of a security company be in a video about security vulnerabilities? That makes no sense at all...
And why do they sound Russian rather than Israeli?

Edit: Also, why would AMD's CPU's have the same security issues as ASMedia's chips? The chipset, sure, but the CPU's, no. The "CEO" claim they found these issues when they were looking into the security of chips made by ASMedia and then somehow found the same "back doors" that they found in ASMedia chips were in AMD's processors. This makes no sense at all.

Also note that the so called whitepaper is located at safefirmware.com, i.e. an entirely different website. Does that mean this is some kind of scam to make money from some kind of alternative UEFI/firmware implementation?


Edit 2: A quick look on LinkedIn shows the Co-Founder at CEO of CTS Labs with a five year gap since his last job, which was for some kind of software cyber security company that is now part of Magic Leap (yes, that company). It makes you wonder how someone like this comes out of nowhere to become the face of something like this.

As to my comment above about sounding Russian, I guess the CFO and one other guy actually speaks Russian, so it might just "colour" their English.

 

[W1zzard]

What I took from the first edition was, you needed that "Masterkey" in order for that to work, otherwise the system integrity check would bust it out since it is still blocked from any other vector than Masterkey.
This version is more cryptic, good luck to the readers.

Yes, you need the masterkey to execute Chimera. The Secure Processor firmware validation or UEFI validation has nothing to do with this attack and can not prevent it.

 

[Recus]

But AMD/Intel common enemy is Nvidia. Why would Intel publish fake story about AMD?

One thing we know is that NVIDIA has made a lot of enemies over the years. You can easily put AMD, Apple, and Intel on that list. We think that GPP is somewhat the result of those "feuds" with NVIDIA attempting to gain more control over the market as it is seeing its competitors developing products (ie AMD and Intel partnerships on products) that will not be open to NVIDIA.

 

[the54thvoid]

Wow. amdflaws.com is so well made. The website is clean, looks modern, with interview on green screen, motion design used to explain the flaws. They made a youtube channel just for that. It's not even technical they are explaining what's a cpu and a chipset.
They are checking all the point needed to impress someone who isn't tech-savyy.

That's remind me all of those video to learn how to make to money with a secret that banks and millionaire don't want to share.

Even IF this is end up to be true the effort they made on communication can't hide a malicious intent.

Yeah, I just had a good look at the website.

That is 100% marketing. Wow. The techy people here should pay attention to HOW news is delivered, not what the news is. Something normally techy is very bland and difficult for the layperson. The website that is hosting this paper is so damn spangly I want to buy what it's selling. It's actually, frighteningly professionally laid out. As if they had a really good push to make it look great. I mean really great.

I'm not saying Intel had a hand in this but ... no, really, I am.

 

[siluro818]

I believe the technical term for all this is "pulling something out of one's ass" xD

 

[CheapMeat]

I'm putting on my tinfoil hat.

 

[W1zzard]

As far as I'm aware, it's not very easy to get a signed driver for Windows these days, as Microsoft does a fair amount of testing, especially on drivers from new companies.

Just setup a company and buy a certificate from one of a handful certification companies. Microsoft does no testing of the driver and is not involved.

Driver signature is really just security through bureaucracy and a paywall.

 

[TheLaughingMan]

How do I join the committee that gets to come up with these names?

 

[TheLostSwede]

Just setup a company and buy a certificate from one of a handful certification companies. Microsoft does no testing of the driver and is not involved.

Driver signature is really just security through bureaucracy and a paywall.

So why was there a big issue about this some years ago, with multiple companies complaining that Microsoft's certification was slowing down their driver release schedule? Or this is what we got instead of proper driver testing and signing?

 

[W1zzard]

So why was there a big issue about this some years ago, with multiple companies complaining that Microsoft's certification was slowing down their driver release schedule? Or this is what we got instead of proper driver testing and signing?

You are confusing WHQL signed drivers (which are tested by MS to some degree) with plain loadable kernel mode drivers that are for no specific device. GPU-Z uses such a driver for example

 

[moob]

https://www.anandtech.com/show/1252...lish-ryzen-flaws-gave-amd-24-hours-to-respond

I feel like that's how it should have been reported here on TPU as well, with a fair amount of skepticism.

The way it's been reported here you'd never know it's shady as hell.

 

[Assimilator]

I feel like that's how it should have been reported here on TPU as well, with a fair amount of skepticism.

The way it's been reported here you'd never know it's shady as hell.

Let's all hold off on accusing something of being shady until we actually have a fuller picture, shall we?

 

[TheLostSwede]

You are confusing WHQL signed drivers (which are tested by MS to some degree) with plain loadable kernel mode drivers that are for no specific device. GPU-Z uses such a driver for example

Ah, sorry, my bad. That makes more sense now.

 

[ssdpro]

Guys, we knew AMD was operating on a shoe string budget during Ryzen development. This is not surprising. Even if Intel had a hand in research, that isn't even a crime. Chevy does ads comparing the bed of the F150 with the Silverado steel vs aluminum. It would be negligent to just let AMD market their chips one way when the reality is another. Just analyze it, fix it, and move on. Ryzen is still a great product even if it needs some patches.

 

[moob]

Let's all hold off on accusing something of being shady until we actually have a fuller picture, shall we?

So you're willing to ignore all the red flags that have already been posted here? Especially the 24 hours notice?

Other tech sites are reporting it with the same amount of skepticism: https://www.hardocp.com/news/2018/03/13/amd_cpu_attack_vectors_vulnerabilities
And http://www.tomshardware.com/news/amd-flaws-ryzenfall-masterkey-fallout-chimera,36656.html

Even if the reported "flaws" do exist, the way it's been done has been shady.

 

[Veradun]

They all require admin rights, I'll clarify in the original post.

For the last: what is not fully verified is whether DMA can write into the fenced off memory, the rest like keylogging and sniffing network is confirmed according to the researchers.

Clarified the original post: "To exploit this attack vector, administrative privileges are required. Whether DMA can access the fenced off memory portions of the Secure Processor, to additionally attack the Secure Processor through this vulnerability, is not fully confirmed, however, the researchers verified it works on a small number of desktop boards."

So they can keylog and sniff network when in root mode? They are so good at hacking.

Laughable.

 

[Te5lac0il]

Amazing how many people comment on the title alone. People need too read an article before commenting. As many other has mentioned, the way the company presented these findings should, too any reasonable person, raise some red flags. But I suspect most people will swallow this hook, line and sinker.

 

[CheapMeat]

Also, this is one of the saltiest forums on the internet. The amount of school girl fanboism is hilarious, I feel bad for the mods. Great site but garbage community, I would ban every salty users and just start from clean lol cause their holding ya back Techpowerup.

Heh, ban yourself while at it. You're the same, newbie.

 

[Boatvan]

Looking at this from a pure logical standpoint, the implications are massive, but I'd wait for verification of the findings. Also, anyone who didn't expect high sodium levels in this thread are fools.

 

[windwhirl]

Heh, ban yourself while at it. You're the same, newbie.

I can feel the burn from here

 

[csgabe]

#Amdfalls.

 

[mtcn77]

Sensationalism at its best, knew it was coming from 'let's pepper AMD for not sending us our review unit' news posts.

 

[Thunderclap]

you know, i find this hilarious. not just the sheer bullshit these 2 'stralian kids are trying to do, but people who actually believe it as well.

 

[FordGT90Concept]

Looks like traders already rejected it. If the intent was stock manipulation, it failed:
https://www.nasdaq.com/symbol/amd/real-time